Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Chinese Hackers Exploit Roundcube Vulnerabilities in Universities

Chinese Hackers Exploit Roundcube Vulnerabilities in Universities

Posted on July 7, 2026 By CWS

Introduction: A cybersecurity alert has been raised as a group of hackers, believed to be aligned with Chinese interests, have been observed exploiting vulnerabilities in Roundcube webmail software. This campaign specifically targets physics and engineering departments at universities in the United States and Canada.

The attackers are taking advantage of previously patched critical security weaknesses in the open-source email platform. Notably, vulnerabilities like CVE-2024-42009, which holds a CVSS score of 9.3, are being used to steal credentials and deploy tools such as a web shell for ongoing access or a known tool called VShell.

Targeted Institutions and Methods

The threat group, currently tracked by Proofpoint under the code name UNK_MassTraction, was first identified in May 2026. Their focus is on administrative and academic staff, particularly within departments involved with national security or fields like astrophysics and particle physics.

Proofpoint reports show that the attackers utilized compromised email senders and exploited domains vulnerable to spoofing due to weak DMARC policies. This strategy not only broadened their target range but made tracing the attacks more challenging.

Exploitation Techniques and Tools

The attackers employed cross-site scripting (XSS) exploits that only necessitated the recipient to open the email in Roundcube, granting access to the mail server. It appears that the attackers conducted thorough reconnaissance to identify departments using vulnerable Roundcube versions before launching phishing emails that triggered exploits for CVE-2024-42009.

After exploiting these vulnerabilities, a payload named IceCube is deployed. This malware is engineered to extract credential information, including two-factor authentication details and cookies. It gathers additional data about the user’s browser environment, which is then sent to an external server.

Advanced Malware Deployment

The IceCube malware further exploits the session’s CSRF token to activate a second vulnerability, CVE-2025-49113, which allows remote code execution in Roundcube. This process aims to establish a foothold in the mail server, executing tools like VShell or a web shell known as SquareShell.

Should the web shell installation fail, the attackers have a backup method involving a shell script that uses the SNOWLIGHT ELF loader. This script is suspected to be shared among Chinese hacking groups, similar to other tools like ShadowPad.

IceCube also employs ‘deferred triggers’ to maintain the infection chain’s persistence. These triggers monitor user actions like closing the browser or logging out, and if detected, they reinitiate the exploit process, preserving the attack’s continuity.

Conclusion: This campaign is the first instance of Chinese hackers targeting Roundcube vulnerabilities, a tactic previously seen with Russian state-sponsored actors. The sophisticated use of n-day vulnerabilities and mature tools underscores the importance of securing email servers alongside other critical network infrastructure to prevent such intrusions.

The Hacker News Tags:Chinese hackers, credential theft, CVE-2024-42009, CVE-2025-49113, Cybersecurity, hacking campaign, IceCube malware, Proofpoint, Roundcube, SNOWLIGHT, UNC5174, university cyberattacks, VSHell, webmail security

Post navigation

Previous Post: Critical Linux KVM Flaw Exposes Host Kernel to Attack
Next Post: Critical Linux Vulnerability Threatens Intel and AMD Systems

Related Posts

From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools The Hacker News
AI Value in SOCs: What the Next Wave Must Offer AI Value in SOCs: What the Next Wave Must Offer The Hacker News
Why Traditional DLP Solutions Fail in the Browser Era Why Traditional DLP Solutions Fail in the Browser Era The Hacker News
Enhance Phishing Detection to Prevent Business Risks Enhance Phishing Detection to Prevent Business Risks The Hacker News
Cursor AI Code Editor Flaw Enables Silent Code Execution via Malicious Repositories Cursor AI Code Editor Flaw Enables Silent Code Execution via Malicious Repositories The Hacker News
Over 1,000 SOHO Devices Hacked in China-linked LapDogs Cyber Espionage Campaign Over 1,000 SOHO Devices Hacked in China-linked LapDogs Cyber Espionage Campaign The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark